American pipeline operators are at the forefront of efforts to protect domestic oil and gas infrastructure under the Transportation Security Administration’s (TSA) ever-evolving pipeline security initiatives. Since September 11, 2001 the Department of Transportation (DOT) and other federal agencies have also worked to develop and communicate security- related best practices and guidance to pipeline owners and operators. The TSA’s Office of Security Policy and Industry Engagement’s Surface Division has repeatedly published updated iterations of the Pipeline Security Guidelines as the agency works with operators to address known and emerging threats (both cyber and physical) against millions of miles of pipeline infrastructure and proprietary operations. Protecting against new threats and staying on top of constantly changing security guidance requires agility. Pipeline operators must adopt a continuous improvement ethos that supports infrastructure, efficiency and human capital improvements across their organizations and the industry.
A New Frontier, Many New Guidelines
The Guidelines – previously known as the “Pipeline Security Information Circular” and “Pipeline Security Contingency Planning Guidance” – were first released by DOT in 2002. In 2010, TSA issued its initial version of the Pipeline Security Guidelines. Since that time, TSA has published many other resources for operators:
- 2011 Guidelines, second iteration
- 2011, “Pipelines Security Smart Practice Observations”
- 2018, Guidelines, third iteration
- 2021, Security Directives 1 & 2
- 2021, Guidelines, fourth and current iteration
Through these efforts, the Department of Homeland Security (DHS) and TSA – with the buy-in of operators and industry groups- have worked to secure America’s millions of miles of pipelines and related infrastructure from attacks by actors who attempt to disrupt the flow of energy through vulnerabilities on the ground or by using sophisticated cyber-attacks.
Ultimately, the use of the Guidelines is intended to help operators adopt a stronger and more resilient security posture through identifying and closing gaps, improving internal communication, and strengthening relationships with external partners across industry and emergency management to maintain the safe and dependable flow of energy.
Hitting a Moving Target
In addition to uniting the entire pipeline industry around a single set of goals, an evolving threat environment requires stakeholders to adapt, be creative and demonstrate agility to counter potential attacks. Due to the speed of changing technologies across the industry, threat actors have attempted to exploit (in some cases successfully) gaps in operators’ cyber and physical security programs to gain access to this critical infrastructure. While keeping up with continuous changes to regulatory guidance may seem onerous, frequent updates are necessary to meet evolving and sophisticated threats. Optimal management of internal processes, coordination of efforts across departments and stakeholders, project timelines, planning for a comprehensive security program and relying on support for interpretation and implementation of TSA guidelines can help protect critical assets.
Breaking Down Silos, Building Up Security
Across a pipeline operation, multiple departments are often responsible for the health and maintenance of the various systems involved. These may include groups such as Information Technology, Cyber Security, Enterprise Security, Legal Counsel, Integrity Management, Emergency Management, Asset Class Managers, Government Affairs, Public Relations, Customer Accounts, Metering and Regulation, Geographic Information Systems, Risk Management, Ethics and Compliance, and the executive team. Each is engaged and responsible for myriad tasks each day and has their own operational goals. Security, though, needs to be a priority goal for every department and individual in each organization. With each group focused on its established priorities, it can be difficult to assign additional tasks and goals, especially if they are in a state of flux. Prioritizing security across departments and developing a coordinated planning and security and emergency management program that engages each group in a collaborative manner is crucial to protecting pipeline operations.
Left Hand, Meet Right Hand
Pipeline Operators must interpret and apply the TSA’s most recent version of the Guidelines to include:
- System reviews for facility and system criticality determination
- Gap analyses between current operations and baseline or enhanced measures as required by the Guidelines
- Identification and assessment of operational impacts
- Assistance in responding to TSA’s most recent request for information
- Development of high-level planning and budgetary estimates for reaching full compliance
- Interpreting the requirements to support compliance while minimizing disruptions and costs
Operators must also work to develop an approach within their risk tolerance and culture, to build consensus across internal and external silos, to achieve meaningful enhancements to the cyber and physical security of their sites and systems, and to enhance their operational resilience.
Pipeline Industry Leaders with an Eye to the Future
As the pipeline industry deals with myriad challenges in the energy, environment, and security realms, TRC can be a trusted partner to guide your organization into a more resilient, sustainable, and secure future. Navigating a changing regulatory landscape, enhancing the security and safety culture throughout an organization, and giving staff, customers, and stakeholders peace of mind all contribute to ongoing success.
For more information, please contact Bill Hawk (Cybersecurity) at 512-694-0426 or Larry Fitzgerald (Physical Security) at 207-620-4452.
Sharing Our Perspectives
Our practitioners share their insights and perspectives on the trends and challenges shaping the market.
CFATS Program Expires but Reauthorization Anticipated this Fall
September 6, 2023
Regulated organizations should continue to follow DHS cybersecurity requirements.
NERC Recommends Approaches for Underfrequency Load Shedding Programs
February 24, 2022
In a recently released reliability guideline, NERC recommends additional approaches for Underfrequency Load Shedding (UFLS) program design to help utilities effectively consider the effects of Distributed Energy Resources (DERs). The guidance was developed to address the accelerated transition of the power system to locally installed, decarbonized resources that depend on inverters. These new technologies introduce operational controls issues into the electric grid. UFLS data gathering and analysis methodologies may require modification to address reliability risks.
NERC and FERC Recommend Protection System Commissioning Improvements
January 18, 2022
Between 18 and 36 percent of reported utility misoperations were attributed to issues that could have been detected through a properly implemented PSC.
FERC & NERC Issue Joint Report on Freeze Reliability Failures
December 15, 2021
The in-depth report outlines twenty-eight recommendations to address freeze reliability failures, including operating practices and recommendations for NERC standards modifications surrounding generator winterization and gas-electric coordination.
NERC Accelerates Additional Cold Weather Standards Changes
November 22, 2021
At its November 2021 meeting, NERC’s Board of Trustees took aggressive action to advance critical cold weather Reliability Standards. Most notably, the group approved the 2022-2024 Reliability Standards Development Plan, which prioritizes standards projects for the coming years including a resolution to include new cold weather operations, preparedness and coordination standards as high priority development projects.
New Potential Compliance Standards Identified at FERC Technical Conference on Reliability
October 18, 2021
With a focus on the reliability impact of extreme weather and the shortcomings of current system planning approaches, both NERC and FERC conference participants opened the door to potential forthcoming compliance standard enhancements or changes.
Summary of NERC CIP Standards Updates
June 29, 2020
FERC has released a notice of inquiry seeking comments on potential enhancements to NERC’s Critical Infrastructure Protection (CIP) Reliability Standards.
NERC Reliability Report Prioritizes Power System Security Risks for Action
January 2, 2020
NERC’s 2019 ERO Reliability Risk Priorities Report identified and prioritized the major risks facing the utility industry with a particular focus on security issues.
Hardening Cyber Defenses at Chemical Facilities a Key Part of Federal CFATS Regulations
October 24, 2017
Federal CFATS regulations cover more than just the handling, transport and storage of dangerous chemicals. They also deal with tools and methods terrorists could use to acquire the deadly agents – such as a cyber attack.
NERC CIP-013-1 Standard for Supply Chain Risk Management
September 29, 2017
NERC has filed mandatory standard CIP-013-1 for supply chain risk management, requiring controls to mitigate cyber threats and their impact to the reliable operation of the Bulk Electric System.
